Menu
▾
▴
trustedqsl-testing
|
From: Richard S. <hob...@gm...> - 2022-03-09 13:51:01
|
Just a heads up, but Fedora Linux is considering dropping SHA-1 support since it's no longer considered secure. I can't remember what TQSL uses so wanted to check her if TQSL would be impacted. Thanks, Richard KF5OIM |
|
From: Greg T. <gd...@le...> - 2022-03-09 14:01:33
Attachments:
signature.asc
|
Richard Shaw <hob...@gm...> writes: > Just a heads up, but Fedora Linux is considering dropping SHA-1 support > since it's no longer considered secure. I can't remember what TQSL uses so > wanted to check her if TQSL would be impacted. Do you mean "remove support for SHA-1 from the system"? That seems extreme and likely to cause a huge amount of trouble. What's the story about git? If you mean "encorage use of SHA2 and others instead for most uses, and require it for validating packages", that's something else. |
|
From: Richard S. <hob...@gm...> - 2022-03-09 17:29:13
|
On Wed, Mar 9, 2022 at 8:01 AM Greg Troxel <gd...@le...> wrote: > > Richard Shaw <hob...@gm...> writes: > > > Just a heads up, but Fedora Linux is considering dropping SHA-1 support > > since it's no longer considered secure. I can't remember what TQSL uses > so > > wanted to check her if TQSL would be impacted. > > Do you mean "remove support for SHA-1 from the system"? That seems > extreme and likely to cause a huge amount of trouble. What's the story > about git? > > If you mean "encorage use of SHA2 and others instead for most uses, and > require it for validating packages", that's something else. > Here's the link to the thread. It's probably better to read it there than for me to try and paraphrase. I'm certainly not an encryption expert by any means. https://lists.fedoraproject.org/archives/list/de...@li.../thread/VVLHQAWI3IQ7NRLKMUHJ27JV3V2JAFDP/ Thanks, Richard KF5OIM |
|
From: Greg T. <gd...@le...> - 2022-03-09 17:34:28
Attachments:
signature.asc
|
Richard Shaw <hob...@gm...> writes: > On Wed, Mar 9, 2022 at 8:01 AM Greg Troxel <gd...@le...> wrote: > >> >> Richard Shaw <hob...@gm...> writes: >> >> > Just a heads up, but Fedora Linux is considering dropping SHA-1 support >> > since it's no longer considered secure. I can't remember what TQSL uses >> so >> > wanted to check her if TQSL would be impacted. >> >> Do you mean "remove support for SHA-1 from the system"? That seems >> extreme and likely to cause a huge amount of trouble. What's the story >> about git? >> >> If you mean "encorage use of SHA2 and others instead for most uses, and >> require it for validating packages", that's something else. > > Here's the link to the thread. It's probably better to read it there than > for me to try and paraphrase. I'm certainly not an encryption expert by any > means. > > https://lists.fedoraproject.org/archives/list/de...@li.../thread/VVLHQAWI3IQ7NRLKMUHJ27JV3V2JAFDP/ Thanks. It looks like it means withdraw SHA-1 from openssl. Wow. Here's the key quote: Fedora is a large distribution with short release cycles, and the only realistic way to weed out its reliance on SHA-1 signatures from all of its numerous dark corners is to break them. |
|
From: Rick M. <k1...@ar...> - 2022-03-09 19:05:32
|
TQSL doesn't use SHA-1 (other than potential access to TLS-protected
webpages.)
TQSL uses MD5 for signing logs and for callsign certificates. Fedora
disabled MD5 some time ago, but enabled a bypass - MD5 is enabled if
environment variable OPENSSL_ENABLE_MD5_VERIFY is defined.
I'm assuming they'll do the same here for SHA-1.
So, in short, no impact. Perhaps Logbook needs to upgrade - RSA 1024 / MD5
could upgrade to at least 2048 and SHA-256. And signing update to use
SHA-256. Doing that would require changes to both software at Logbook plus
TQSL changes to allow two different signing algorithms. Ultimately, it's a
question of when we'll be forced to upgrade.
73,
-Rick
On Wed, Mar 9, 2022 at 12:34 PM Greg Troxel <gd...@le...> wrote:
>
> Richard Shaw <hob...@gm...> writes:
>
> > On Wed, Mar 9, 2022 at 8:01 AM Greg Troxel <gd...@le...> wrote:
> >
> >>
> >> Richard Shaw <hob...@gm...> writes:
> >>
> >> > Just a heads up, but Fedora Linux is considering dropping SHA-1
> support
> >> > since it's no longer considered secure. I can't remember what TQSL
> uses
> >> so
> >> > wanted to check her if TQSL would be impacted.
> >>
> >> Do you mean "remove support for SHA-1 from the system"? That seems
> >> extreme and likely to cause a huge amount of trouble. What's the story
> >> about git?
> >>
> >> If you mean "encorage use of SHA2 and others instead for most uses, and
> >> require it for validating packages", that's something else.
> >
> > Here's the link to the thread. It's probably better to read it there than
> > for me to try and paraphrase. I'm certainly not an encryption expert by
> any
> > means.
> >
> >
> https://lists.fedoraproject.org/archives/list/de...@li.../thread/VVLHQAWI3IQ7NRLKMUHJ27JV3V2JAFDP/
>
> Thanks. It looks like it means withdraw SHA-1 from openssl. Wow.
>
> Here's the key quote:
>
> Fedora is a large distribution with short release cycles, and the only
> realistic way to weed out its reliance on SHA-1 signatures from all of
> its numerous dark corners is to break them.
>
> _______________________________________________
> Trustedqsl-testing mailing list
> Tru...@li...
> https://lists.sourceforge.net/lists/listinfo/trustedqsl-testing
>
--
Rick Murphy, D.Sc., CISSP-ISSAP, K1MU/4, Annandale VA USA
|
|
From: Björn E. <bj...@ek...> - 2022-03-10 10:10:10
|
The cybersecurity community deemed SHA-1 too insecure for any serious use already in 2005. Björn Den ons 9 mars 2022 kl 18:34 skrev Greg Troxel <gd...@le...>: > > Richard Shaw <hob...@gm...> writes: > > > On Wed, Mar 9, 2022 at 8:01 AM Greg Troxel <gd...@le...> wrote: > > > >> > >> Richard Shaw <hob...@gm...> writes: > >> > >> > Just a heads up, but Fedora Linux is considering dropping SHA-1 > support > >> > since it's no longer considered secure. I can't remember what TQSL > uses > >> so > >> > wanted to check her if TQSL would be impacted. > >> > >> Do you mean "remove support for SHA-1 from the system"? That seems > >> extreme and likely to cause a huge amount of trouble. What's the story > >> about git? > >> > >> If you mean "encorage use of SHA2 and others instead for most uses, and > >> require it for validating packages", that's something else. > > > > Here's the link to the thread. It's probably better to read it there than > > for me to try and paraphrase. I'm certainly not an encryption expert by > any > > means. > > > > > https://lists.fedoraproject.org/archives/list/de...@li.../thread/VVLHQAWI3IQ7NRLKMUHJ27JV3V2JAFDP/ > > Thanks. It looks like it means withdraw SHA-1 from openssl. Wow. > > Here's the key quote: > > Fedora is a large distribution with short release cycles, and the only > realistic way to weed out its reliance on SHA-1 signatures from all of > its numerous dark corners is to break them. > > _______________________________________________ > Trustedqsl-testing mailing list > Tru...@li... > https://lists.sourceforge.net/lists/listinfo/trustedqsl-testing > |
Thanks for helping keep SourceForge clean.
X